Page MenuHomeMiraheze

Naleksuh as security reviewer
Closed, DeclinedPublic

Description

Similar to T6312, when I posted the task for @SamanthaNguyen to become security reviewer, I now do the same exact thing for @Naleksuh.

Naleksuh has advanced knowledge of PHP scripting language, and would easily be able to spot security risks/deployment blockers. While I have not personally seen their knowledge/expirence first-hand, from my own interaction with them and from what I've heard from others, they do seem to know what they are talking about, and do have a least to some degree, knowledge of PHP, and will be able to preform this task. I have asked Naleksuh to comment to this task to confirm, as well as to begin a test review going off the basis of what @Southparkfan requested of me and SamanthaNguyen to hopefully make this task go smoothly and speed up the approval process. Thank you!

Event Timeline

Unknown Object (User) triaged this task as Normal priority.Oct 27 2020, 03:32
Unknown Object (User) created this task.
Southparkfan reassigned this task from Southparkfan to Unknown Object (User).Nov 8 2020, 16:10

Are there any contributions to MediaWiki core or extensions that can serve as evidence they are familiar with the MediaWiki architecture?

While my work in core has been primarily propositions, I like to work on solutions to problems and I have contributed to a number of floating extensions with my specialty being access levels. Me and Universal Omega were also going to make an extension that fixes bypassing create protection, although this is postponed due to IRL issues.

I am told the review process centers around commenting on extensions currently in queue. Are there any other extensions pending addition that I may review?

Unknown Object (User) reassigned this task from Unknown Object (User) to Southparkfan.Nov 9 2020, 06:37

@Universal_Omega I could be wrong, but when I saw that @Southparkfan assigned this Phabricator ticket to you, he might have been suggesting for you to pick an extension in the queue for @Naleksuh to review, perhaps, and that, though the final approval decision of @Naleksuh as a security reviewer would rest with @Southparkfan and the Site Reliability Engineering team (who, in practice, essentially defer to Southparkfan with regard to such matters), he values your input and would give it a great deal of weight in the approval decision. On the other hand, I may have read too much into him handing off this Phabricator ticket to you, and be completely wrong, which is totally fine.

As far as @Naleksuh's security reviewer application goes, though I realize I have no real input into this, I will just say that I encouraged Naleksuh to put his name forward as a security reviewer, acknowledging his php coding experience and, in part, because of the discussion the three of us had about him potentially developing an extension with @Universal_Omega. Together with @SamanthaNguyen and @Universal_Omega, I think it would be absolutely wonderful to have three new experienced security reviewers on the team, all in the span of 3-4 months.

Unknown Object (User) added a comment.EditedNov 10 2020, 05:20

@Dmehus I am pretty sure @Southparkfan just wanted me to answer the above question. But @Naleksuh already did.

Are there any contributions to MediaWiki core or extensions that can serve as evidence they are familiar with the MediaWiki architecture?

" But @Naleksuh already did." Considering he used "they" I would assume you are supposed to answer, perhaps based on the history of #miraheze. It's also possible to try via reviewing extensions that are proposed for addition, which I could do. Are there any in mind?

@Naleksuh, I'd support. Seems good, bureaucrat on TestWiki, knowledge of coding, seems competent.

SCVSlalom lowered the priority of this task from Normal to Low.Nov 12 2020, 01:09

For now, moving to low.

Unknown Object (User) raised the priority of this task from Low to Normal.Nov 12 2020, 01:20
Unknown Object (User) reassigned this task from Southparkfan to Naleksuh.EditedNov 12 2020, 01:32

" But @Naleksuh already did." Considering he used "they" I would assume you are supposed to answer, perhaps based on the history of #miraheze. It's also possible to try via reviewing extensions that are proposed for addition, which I could do. Are there any in mind?

I suppose you can do a test review of an extension. But keep in mind I say this in no official capacity and @Southparkfan holds the overall decision. You can pick one from Extensions if you wish. But again, I do not say this under official capacity in any way.

Quoting Southparkfan from my own request,

Good to see interest in this job! I would recommend doing an actual security review of a pending extension, using the checklist from https://www.mediawiki.org/wiki/Security_checklist_for_developers. Note the good (e.g. CSRF tokens used, code being compliant with MediaWiki's standards and thus making the review much easier) and bad points (e.g. a lot of htmlspecialchars usage within echo statements, instead of using the Html functions) of the extension's code, security risks you find (e.g. accessing external resources, thus introducing DoS possibilities, passing user input directly into shell commands). Especially for a somewhat larger extension, that gives me an idea about your review capabilities. If I think you are capable of doing security reviews for real, you may be grant permission to approve extensions without being in a SRE position or similar.

Unknown Object (User) removed a subscriber: BrandonWM.Nov 19 2020, 05:04
In T6360#129984, @John wrote:

@Naleksuh any updates on this from your end?

Hey there. Per the last comment by Universal Omega, I was somewhat under the impression that I was waiting on a response from Southparkfan. If that is not the case, should I proceed as Universal Omega suggested?

Unknown Object (User) reassigned this task from Naleksuh to Southparkfan.Jan 3 2021, 05:40

Reassigning to Southparkfan, for how to proceed here since there are no more extensions to review.

@Universal_Omega Since we now have T6700 in the extension review queue, could this be an appropriate extension for @Naleksuh and @R4356th to post their security reviews in their respective requests? Whether we install the extension is another matter, but don't really need to install an extension; we just need to have an extension for them to review

Unknown Object (User) added a comment.Jan 7 2021, 20:26

@Universal_Omega Since we now have T6700 in the extension review queue, could this be an appropriate extension for @Naleksuh and @R4356th to post their security reviews in their respective requests? Whether we install the extension is another matter, but don't really need to install an extension; we just need to have an extension for them to review

No, because as of right now, it's not in the queue and is not until they reply if they really need it.

Unknown Object (User) closed this task as Declined.Jan 9 2021, 05:46
Unknown Object (User) claimed this task.

Unfortunately and regrettably I must decline this now, after a conversation I had with @Southparkfan on IRC, we can't really approve this without evidence that shows your knowledge and abilities to preform in this capacity. If you do feel you can provide such evidence, do feel free to reopen and it'll later be considered. Thank you!

It is my understanding that the list of extensions is currently empty. If that is the case, what is the deal with other similar requests?

Unknown Object (User) added a comment.Jan 9 2021, 06:13

It is my understanding that the list of extensions is currently empty. If that is the case, what is the deal with other similar requests?

In this case it's the lack of evidence of your understanding. In other words no existing extension examples of your own to go off of.

Naleksuh changed the task status from Open to Stalled.Jan 9 2021, 06:20

In that case I would likely put this on hold until more extensions are avaailable

Unknown Object (User) added a comment.Jan 9 2021, 06:25

In that case I would likely put this on hold until more extensions are avaailable

It's not the lack of extensions to review. Reviewing an extension is not necessarily, solely enough. You'll need to show your own PHP, etc.. skills as well, at least from my understanding. Security reviewer is a serious job on there must be serious consideration in the matter of approving or declining security reviewer requests.

Unknown Object (User) closed this task as Declined.Jan 9 2021, 06:44

Declining again per my above comments. This doesn't mean it can't be reopened just that it is declined for now and doesn't necessarily warrent to be a stalled task.